Harden REST API option handling and require authentication credentials (#6073)

2026-06-21 15:12:16 +00:00 · 2026-06-10 18:37:46 +02:00 · 2026-06-10 18:37:46 +02:00 · ab1efed0d5
commit ab1efed0d5
parent ecf8ccc72e
4 changed files with 17 additions and 6 deletions
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@ -20,7 +20,7 @@ from lib.core.enums import OS
 from thirdparty import six

 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.10.6.51"
+VERSION = "1.10.6.52"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
--- a/lib/utils/api.py
+++ b/lib/utils/api.py
@ -490,6 +490,11 @@ def option_set(taskid):
        logger.warning("[%s] Invalid JSON options provided to option_set()" % taskid)
        return jsonize({"success": False, "message": "Invalid JSON options"})

+    for key in request.json:
+        if key in RESTAPI_UNSUPPORTED_OPTIONS:
+            logger.warning("[%s] Unsupported option '%s' provided to option_set()" % (taskid, key))
+            return jsonize({"success": False, "message": "Unsupported option '%s'" % key})
+
    for option, value in request.json.items():
        DataStore.tasks[taskid].set_option(option, value)

@ -687,6 +692,9 @@ def server(host=RESTAPI_DEFAULT_ADDRESS, port=RESTAPI_DEFAULT_PORT, adapter=REST
    REST-JSON API server
    """

+    if not all((username, password)):
+        logger.critical("REST-JSON API server requires both username and password")
+
    DataStore.admin_token = encodeHex(os.urandom(16), binary=False)
    DataStore.username = username
    DataStore.password = password